Change the buffer length test in NEEDSP() so that it does not

subtract one unsigned number from another potentially smaller one, leading to wraparound (and heap corruption, eventually). PR: 58813 MFC after: 2 weeks
2003-11-02 23:20:24 +00:00 · 2003-11-02 23:20:24 +00:00 · ce20a8e9be
commit ce20a8e9be
parent 5758d949d5
1 changed files with 2 additions and 1 deletions
--- a/usr.bin/sed/process.c
+++ b/usr.bin/sed/process.c
@ -557,7 +557,8 @@ regsub(sp, string, src)
 	char c, *dst;

 #define	NEEDSP(reqlen)							\
-	if (sp->len >= sp->blen - (reqlen) - 1) {			\
+	/* XXX What is the +1 for? */					\
+	if (sp->len + (reqlen) + 1 >= sp->blen) {			\
 		sp->blen += (reqlen) + 1024;				\
 		if ((sp->space = sp->back = realloc(sp->back, sp->blen)) \
 		    == NULL)						\